<!DOCTYPE html>
<html lang="">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="//cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/npm/pace-js@1/themes/blue/pace-theme-minimal.css">
  <script src="//cdn.jsdelivr.net/npm/pace-js@1/pace.min.js"></script>

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"blog.wendell.pro","root":"/","scheme":"Mist","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"always","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="本文首发于先知社区,链接:https:&#x2F;&#x2F;xz.aliyun.com&#x2F;t&#x2F;9177  When TLS Hacks You出了一个利用tls进行ssrf的姿势,而且赵师傅在西湖论剑2020 Web HelloDiscuzQ 题也做了一些新研究,很早之前就想学习一下这个,不过一直咕,趁现在空下来了,研究一下.">
<meta property="og:type" content="article">
<meta property="og:title" content="BlackHat2020 议题 「When TLS Hacks You」 复现">
<meta property="og:url" content="http://blog.wendell.pro/2021/01/29/BlackHat2020%20%E8%AE%AE%E9%A2%98%20When%20TLS%20Hacks%20You%20%E5%A4%8D%E7%8E%B0/index.html">
<meta property="og:site_name" content="Wendell&#39;s blog">
<meta property="og:description" content="本文首发于先知社区,链接:https:&#x2F;&#x2F;xz.aliyun.com&#x2F;t&#x2F;9177  When TLS Hacks You出了一个利用tls进行ssrf的姿势,而且赵师傅在西湖论剑2020 Web HelloDiscuzQ 题也做了一些新研究,很早之前就想学习一下这个,不过一直咕,趁现在空下来了,研究一下.">
<meta property="og:locale">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128141802337.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126214135464.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128144043823.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/uml.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/640">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128154459168.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128151815356.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126212832133.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126213801318.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126212540359.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128161019644.png">
<meta property="og:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128160618062.png">
<meta property="article:published_time" content="2021-01-29T08:47:53.000Z">
<meta property="article:modified_time" content="2021-02-25T07:17:44.430Z">
<meta property="article:author" content="Wendell">
<meta property="article:tag" content="BlackHat2020 议题">
<meta property="article:tag" content="复现">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128141802337.png">

<link rel="canonical" href="http://blog.wendell.pro/2021/01/29/BlackHat2020%20%E8%AE%AE%E9%A2%98%20When%20TLS%20Hacks%20You%20%E5%A4%8D%E7%8E%B0/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'default'
  };
</script>

  <title>BlackHat2020 议题 「When TLS Hacks You」 复现 | Wendell's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="Wendell's blog" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Wendell's blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>Tags</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>Categories</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="default">
    <link itemprop="mainEntityOfPage" href="http://blog.wendell.pro/2021/01/29/BlackHat2020%20%E8%AE%AE%E9%A2%98%20When%20TLS%20Hacks%20You%20%E5%A4%8D%E7%8E%B0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/avatar.jpg">
      <meta itemprop="name" content="Wendell">
      <meta itemprop="description" content="Wendell blog">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Wendell's blog">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          BlackHat2020 议题 「When TLS Hacks You」 复现
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2021-01-29 16:47:53" itemprop="dateCreated datePublished" datetime="2021-01-29T16:47:53+08:00">2021-01-29</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2021-02-25 15:17:44" itemprop="dateModified" datetime="2021-02-25T15:17:44+08:00">2021-02-25</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Web%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">Web安全</span></a>
                </span>
            </span>

          
            <span class="post-meta-item" title="Views" id="busuanzi_container_page_pv" style="display: none;">
              <span class="post-meta-item-icon">
                <i class="fa fa-eye"></i>
              </span>
              <span class="post-meta-item-text">Views: </span>
              <span id="busuanzi_value_page_pv"></span>
            </span>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <blockquote>
<p>本文首发于先知社区,链接:<a target="_blank" rel="noopener" href="https://xz.aliyun.com/t/9177">https://xz.aliyun.com/t/9177</a></p>
</blockquote>
<p>When TLS Hacks You出了一个利用tls进行ssrf的姿势,而且赵师傅在<a target="_blank" rel="noopener" href="https://www.zhaoj.in/read-6681.html">西湖论剑2020 Web HelloDiscuzQ 题</a>也做了一些新研究,很早之前就想学习一下这个,不过一直咕,趁现在空下来了,研究一下.</p>
<a id="more"></a>
<p>这个是一个ssrf的新姿势,如果可以利用的话,只要对方服务器可以利用https协议,就可以打内网服务.</p>
<p>但是打过去的payload会有一些垃圾字符,常见可以利用的是memcached,ftp和smtp,而redis据原作者所说,因为0字节会截断,不能攻击</p>
<h2 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h2><h3 id="tls1-2握手和会话复用"><a href="#tls1-2握手和会话复用" class="headerlink" title="tls1.2握手和会话复用"></a>tls1.2握手和会话复用</h3><p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128141802337.png" alt="image-20210128141802337"></p>
<p>上面这个图简单的描述了TLS握手过程,每个框都是一个记录,多个记录组成一个TCP包发送,在tcp握手之后,经过4个消息,就可以完成TLS握手过程</p>
<p>在ServerHello消息中,</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126214135464.png" alt="image-20210126214135464"></p>
<p>会有一个sessionID字段,用于再次连接时的会话复用,</p>
<p>会话复用时,客户端发送发生首次连接时保存的来自服务器的会话id,找到后就直接用主密钥恢复会话状态，跳过证书验证和密钥交换阶段.</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128144043823.png" alt="image-20210128144043823"></p>
<h3 id="dns重绑定攻击"><a href="#dns重绑定攻击" class="headerlink" title="dns重绑定攻击"></a>dns重绑定攻击</h3><p>当dns的TTL(生存时间)是一个非常小的值的时候,DNS回复仅在短时间内有效,攻击者DNS首次回复了有效的IP的地址,第二次恢复恶意地址,就会造成DNS重绑定攻击</p>
<h3 id="AAAA记录和A记录"><a href="#AAAA记录和A记录" class="headerlink" title="AAAA记录和A记录"></a>AAAA记录和A记录</h3><p>AAAA记录是域名的ipv6地址,A记录是域名的ipv4地址,可能因为现在对ipv6的支持问题,</p>
<p>curl会优先请求AAAA记录的地址,如果无法连接,则会连接ipv4地址</p>
<h2 id="攻击原理"><a href="#攻击原理" class="headerlink" title="攻击原理"></a>攻击原理</h2><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/uml.png" alt="Attack flow"></p>
<p>如上图,在TSL首次握手时,session_id来自服务端,而后在一次新的连接时,在客户端会进行会话复用时,这时,session_id由客户端首先发给服务端.</p>
<p>原作者提出,在curl对会话复用的判断中,只判断了目标服务的域名、端口以及协议是否一致,没有判断ip</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/640" alt="图片"></p>
<p>如果服务器是恶意攻击者控制的,session_id被设置成攻击者想发送的恶意payload,在客户端第二次请求时,将ip改成127.0.0.1, 既可利用恶意的session_id攻击客户端本地的服务,</p>
<p>恶意的TLS服务器,只要一个正常的TLS服务器把sessionid改掉就好,现在问题是如何把客户端在第二次请求时目的ip改掉.这里有两种姿势.</p>
<h3 id="ip改变的方法"><a href="#ip改变的方法" class="headerlink" title="ip改变的方法"></a>ip改变的方法</h3><h4 id="dns重绑定"><a href="#dns重绑定" class="headerlink" title="dns重绑定"></a>dns重绑定</h4><p>一个很简单的想法就是利用dns重绑定,在第二次请求dns解析时改变ip,这个也是When TLS Hacks You那篇议题原作者提出的方法,赵师傅在文章中提到curl对dns做了缓存,导致第二次请求时没有进行dns查询,导致无法利用,但其实原作在中间还加了一些处理,恶意的TLS服务端永远只返回的301跳转,并且在返回前会sleep一段时间,curl在一次次的301跳转中耗尽dns缓存的时间,会重新进行dns查询.</p>
<p>这里有一个坑,按照原作者github搭出来的话,301跳转以后就会报一个unexpected message的错误,</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128154459168.png" alt="image-20210128154459168"></p>
<p>导致无法一直301跳转进行利用,最终我利用赵师傅改的<a target="_blank" rel="noopener" href="https://github.com/glzjin/tlslite-ng">tlslite-ng</a>,再次魔改,才完成复现.</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128151815356.png" alt="image-20210128151815356"></p>
<p>可以看到这里跳转了5次,才改变了ip</p>
<h4 id="AAAA和A记录"><a href="#AAAA和A记录" class="headerlink" title="AAAA和A记录"></a>AAAA和A记录</h4><p>赵师傅提出了一个新的改ip的姿势,</p>
<p>因为curl对AAAA和A记录的特殊处理,我们只要设置AAAA记录返回一个服务器ipv6的ip,A记录返回127.0.0.1,,并且在服务器第二次访问时,服务端下线.</p>
<p>第一次服务器访问ipv6地址,在服务器第二次请求时访问ipv6的地址,发现无法无法访问,会转而请求ipv4地址,造成ip改变</p>
<p>具体操作可以参考赵师傅的文章.</p>
<h2 id="复现"><a href="#复现" class="headerlink" title="复现"></a>复现</h2><p><a target="_blank" rel="noopener" href="https://gitee.com/wendell_tong/tls_poison_study">https://gitee.com/wendell_tong/tls_poison_study</a></p>
<p>配置域名的ns和a记录</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">dns.example.com A 300 &lt;DNS_IP&gt;</span><br><span class="line">tlstest.example.com NS 300 dns.example.com</span><br></pre></td></tr></table></figure>
<p>启动dns服务器</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 alternate-dns.py tlstest.example.com,127.0.0.1 -b 0.0.0.0 -t tlsserverip </span><br></pre></td></tr></table></figure>
<p>127.0.0.1是要进行ssrf攻击目标的ip,这里我为了方便抓包设置了118.*的ip</p>
<p>然后在tlslite-ng/tlslite目录,启动TLS服务,注意证书要自己配置,</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 tls.py server --max-ver tls1.2 -k 2_tlstest111.wetolink.com.key -c 1_tlstest111.wetolink.com_bundle.crt 0.0.0.0:11212</span><br></pre></td></tr></table></figure>
<p>这时受害者主机以http访问</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl -4 -kvL https:&#x2F;&#x2F;tlstest.example.com:11212</span><br></pre></td></tr></table></figure>
<p>就会被攻击,</p>
<p>注意要允许301跳转,并且使用tls1.2.</p>
<p>可以看到在多次跳转之后,curl改变了访问ip</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126212832133.png" alt="image-20210126212832133"></p>
<p>在恶意的session_id被成功发往服务端</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126213801318.png" alt="image-20210126213801318"></p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210126212540359.png" alt="image-20210126212540359"></p>
<h2 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h2><p>原作者pdf的图就说的挺清楚的,下图是受影响的客户端,</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128161019644.png" alt="image-20210128161019644"></p>
<p>下图是可以攻击的目标,因为会有一些垃圾字符的干扰,Memcached的利用是比较多的</p>
<p><img src="https://cdn.jsdelivr.net/gh/W4ndell/static/img/image-20210128160618062.png" alt="image-20210128160618062"></p>
<h2 id="参考资料"><a href="#参考资料" class="headerlink" title="参考资料"></a>参考资料</h2><p><a target="_blank" rel="noopener" href="https://www.blackhat.com/eu-20/briefings/schedule/index.html">https://www.blackhat.com/eu-20/briefings/schedule/index.html</a></p>
<p><a target="_blank" rel="noopener" href="https://i.blackhat.com/USA-20/Wednesday/us-20-Maddux-When-TLS-Hacks-You.pdf">https://i.blackhat.com/USA-20/Wednesday/us-20-Maddux-When-TLS-Hacks-You.pdf</a></p>
<p><a target="_blank" rel="noopener" href="https://cqureacademy.com/conference-summary/bhus2020-1-when-tls-hacks-you">https://cqureacademy.com/conference-summary/bhus2020-1-when-tls-hacks-you</a></p>
<p><a target="_blank" rel="noopener" href="https://github.com/jmdx/TLS-poison">https://github.com/jmdx/TLS-poison</a></p>
<p><a target="_blank" rel="noopener" href="https://www.zhaoj.in/read-6681.html#i-5">https://www.zhaoj.in/read-6681.html#i-5</a></p>
<p><a target="_blank" rel="noopener" href="https://mp.weixin.qq.com/s/GT3Wlu_2-Ycf_nhWz_z9Vw">https://mp.weixin.qq.com/s/GT3Wlu_2-Ycf_nhWz_z9Vw</a></p>
<p>极客时间&lt;透视HTTP协议&gt;</p>

    </div>

    
    
    
        

  <div class="followme">
    <p>Welcome to my other publishing channels</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/BlackHat2020-%E8%AE%AE%E9%A2%98/" rel="tag"># BlackHat2020 议题</a>
              <a href="/tags/%E5%A4%8D%E7%8E%B0/" rel="tag"># 复现</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2021/01/25/ssrf-%E6%80%BB%E7%BB%93-md-1/" rel="prev" title="ssrf_总结.md">
      <i class="fa fa-chevron-left"></i> ssrf_总结.md
    </a></div>
      <div class="post-nav-item"></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%89%8D%E7%BD%AE%E7%9F%A5%E8%AF%86"><span class="nav-number">1.</span> <span class="nav-text">前置知识</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#tls1-2%E6%8F%A1%E6%89%8B%E5%92%8C%E4%BC%9A%E8%AF%9D%E5%A4%8D%E7%94%A8"><span class="nav-number">1.1.</span> <span class="nav-text">tls1.2握手和会话复用</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#dns%E9%87%8D%E7%BB%91%E5%AE%9A%E6%94%BB%E5%87%BB"><span class="nav-number">1.2.</span> <span class="nav-text">dns重绑定攻击</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#AAAA%E8%AE%B0%E5%BD%95%E5%92%8CA%E8%AE%B0%E5%BD%95"><span class="nav-number">1.3.</span> <span class="nav-text">AAAA记录和A记录</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E6%94%BB%E5%87%BB%E5%8E%9F%E7%90%86"><span class="nav-number">2.</span> <span class="nav-text">攻击原理</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#%E6%A6%82%E8%BF%B0"><span class="nav-number">2.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#ip%E6%94%B9%E5%8F%98%E7%9A%84%E6%96%B9%E6%B3%95"><span class="nav-number">2.2.</span> <span class="nav-text">ip改变的方法</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#dns%E9%87%8D%E7%BB%91%E5%AE%9A"><span class="nav-number">2.2.1.</span> <span class="nav-text">dns重绑定</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#AAAA%E5%92%8CA%E8%AE%B0%E5%BD%95"><span class="nav-number">2.2.2.</span> <span class="nav-text">AAAA和A记录</span></a></li></ol></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%A4%8D%E7%8E%B0"><span class="nav-number">3.</span> <span class="nav-text">复现</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%BD%B1%E5%93%8D%E8%8C%83%E5%9B%B4"><span class="nav-number">4.</span> <span class="nav-text">影响范围</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#%E5%8F%82%E8%80%83%E8%B5%84%E6%96%99"><span class="nav-number">5.</span> <span class="nav-text">参考资料</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Wendell"
      src="/avatar.jpg">
  <p class="site-author-name" itemprop="name">Wendell</p>
  <div class="site-description" itemprop="description">Wendell blog</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">5</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">categories</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">8</span>
        <span class="site-state-item-name">tags</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/W4ndell" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;W4ndell" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>


  <div class="links-of-blogroll motion-element">
    <div class="links-of-blogroll-title"><i class="fa fa-link fa-fw"></i>
      友情链接
    </div>
    <ul class="links-of-blogroll-list">
        <li class="links-of-blogroll-item">
          <a href="http://www.whiskeyjj.com/" title="http:&#x2F;&#x2F;www.whiskeyjj.com&#x2F;" rel="noopener" target="_blank">绝望的肉</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.yang99.top/" title="http:&#x2F;&#x2F;www.yang99.top&#x2F;" rel="noopener" target="_blank">Yang_99</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.fzwjscj.xyz/" title="http:&#x2F;&#x2F;www.fzwjscj.xyz&#x2F;" rel="noopener" target="_blank">fzwjscj</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://cherryc4t.top/" title="http:&#x2F;&#x2F;cherryc4t.top&#x2F;" rel="noopener" target="_blank">cherryc4t</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://www.7yue.top/" title="http:&#x2F;&#x2F;www.7yue.top&#x2F;" rel="noopener" target="_blank">7yue</a>
        </li>
        <li class="links-of-blogroll-item">
          <a href="http://gh0st.top/" title="http:&#x2F;&#x2F;gh0st.top" rel="noopener" target="_blank">gh0st</a>
        </li>
    </ul>
  </div>

      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Wendell</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://mist.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a>
  </div><script color="0,0,0" opacity="0.5" zIndex="-1" count="99" src="https://cdn.jsdelivr.net/npm/canvas-nest.js@1/dist/canvas-nest.js"></script>

        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-user"></i>
      </span>
      <span class="site-uv" title="Total Visitors">
        <span id="busuanzi_value_site_uv"></span>
      </span>
    </span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
      <span class="post-meta-item-icon">
        <i class="fa fa-eye"></i>
      </span>
      <span class="site-pv" title="Total Views">
        <span id="busuanzi_value_site_pv"></span>
      </span>
    </span>
</div>








      </div>
    </footer>
  </div>

  
  <script src="//cdn.jsdelivr.net/npm/animejs@3.1.0/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
